Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:10 PM
Connect Directly

10 Ways To Fail A PCI Audit

Working on compliance with payment card data security guidelines? Don't make these common mistakes

Retailers and other companies that accept credit card payments have had to comply with the Payment Card Industry Data Security Standard for over six years now. Included in PCI DSS are the 12 major requirements and 221 subrequirements that businesses must meet to protect credit card data from data theft. But even after years of refining these standards, undergoing exhaustive training, and facing the threat of financial penalties from the card brands, many businesses still fail to comply with the basic requirements.

According to Verizon's "2011 Payment Card Industry Compliance Report," only 21% of organizations met the more than 200 must-pass requirements for PCI during their first try at validation last year. The other 79% had to go through further remediation to show they were in compliance for the year. And more than likely, a year later they're out of compliance again--75% of organizations fell out of compliance after passing an audit the previous year.

This process is costing companies a pretty penny in consulting and auditing fees. So figuring out the root causes of failing a PCI audit would help a lot of businesses. Avoid these 10 common mistakes and your company will be well on the way to PCI compliance.

1) Picking First Auditor Who Comes Along

Businesses get to pick their own Qualified Security Assessors, the PCI Security Council-certified experts who conduct the PCI audit. Vet your auditor well, far in advance of any deadline. While the PCI Council has worked to even out the quality of its auditors, there's still a lot of variation in auditing and remediation philosophies, experience levels, and PCI knowledge.

"Choosing the right auditor can mean the difference between weeks of effort and months of effort to become compliant," says James Brown, CTO of StillSecure, a network access control and cloud security company. The best way to find the right auditor for your company is to get references and look into past audit performance.

One of the most important questions before hiring a QSA company is how many Reports of Compliance they've completed in the last year, says Dave Whitelegg, a security and compliance consultant for IT Security Expert, an IT security consultancy. Twenty or more and they probably have a good base of expertise in PCI DSS assessments. "Anything less than 10, then to be brutally honest, you're likely to be dealing with an amateur QSA organization," he warns.

Look for QSAs who offer consistent advice and interpretation of the rules, and whose personalities mesh with your own IT staff's. Make sure to ask about procedures they follow when remediation is needed and get a feel for their willingness to work with you to find solutions rather than jumping into an adversarial role.

Don't choose a QSA solely based on cost or the likelihood of getting an easy pass. And keep in mind why you're doing the audit.

"Institutions can spend so much time meeting requirements that they forget their first responsibility: protecting their customers' trust," says Bill Munroe, VP of Verdasys, a data security company. Don't get so in the weeds with the "hows" of passing a PCI audit that you forget the "whys," Munroe warns.

2) Skipping Pre-Audit Assessment

Are you really sure you're ready for your assessment? Companies can bring in a QSA company too early in the process, without enough checking on whether it has a handle on all of the PCI requirements, says Court Little, director of strategic security at Solutionary, a QSA firm.

"They'll just jump into this and say, 'I need an auditor to come in.' And we get there, and it's just a bloodbath of marking up red," Little says. In some cases, he says, his people are contracted for a four-day engagement that ends after two because they're wasting everyone's time. "That's when they say, 'Let's revisit this once you guys get a better handle on this because you're not even close to being ready for an audit,'" Little says.

10 PCI Mistakes

One tactic is to have a qualified security consultant familiar with PCI conduct a gap analysis to assess whether you're meeting PCI requirements or are way off the mark.

"It's so much more cost-effective to do that gap analysis and do it right in the first place than getting a report dipped in red and having to go back in six months and have that person revalidate," Little says.

Once you think you're close to complying, another option is a pre-audit assessment over the phone with the QSA. Less comprehensive than a gap analysis, pre-audits go over compliance details before the QSA steps through the door.

3) Starting Without A Pre-Audit Checklist

Don't limit your preparation to just strategic gap analysis and pre-audit assessment. Companies that don't prepare for all the information, paperwork, and interviews that the QSA will want put their PCI status at risk.

Not having specific information at hand or the right executive available for an interview won't fail you outright, but it's guaranteed to lengthen the validation process, irritate the assessor, and cost your business money.

Auditors often go into a company and say, "I need this documentation, these logs, and to interview these people," and that can catch companies off guard, Little says. Make sure you ask the QSA what you must do to get ready for the audit.

Unprepared managers do things like have 15 people twiddling their thumbs in a room all day just in case the auditor needs to interview them, says Little, who has seen such time wasters firsthand.

Yes, If You Play Your Cards Right

Our full report on security and PCI compliance is free with registration. This report includes 19 pages of analysis.

What you'll find:
  • Ways to get secrity and compliance to dovetail
  • Reasons why differing goals can create complications, and how to get around them
Get This And All Our Reports

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

1 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-25
PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element.
PUBLISHED: 2019-06-25
Nessus versions 8.4.0 and earlier were found to contain a reflected XSS vulnerability due to improper validation of user-supplied input. An unauthenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a users browse...
PUBLISHED: 2019-06-25
Secure Encrypted Virtualization (SEV) on Advanced Micro Devices (AMD) Platform Security Processor (PSP; aka AMD Secure Processor or AMD-SP) 0.17 build 11 and earlier has an insecure cryptographic implementation.
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6329.
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6328.